Almost two years after Equifax’s massive hack, the majority of Fortune 500 companies still aren’t learning the lessons of using vulnerable software.
In the last six months of 2018, two-thirds of the Fortune 500 companies downloaded a vulnerable version of Apache Struts, the same vulnerable server software that was used by hackers to steal the personal data on close to 150 million consumers, according to data shared by Sonatype, an open-source automation firm.
That’s despite almost two years’ worth of patched Struts versions being released since the attack.
Sonatype wouldn’t name the Fortune 100 firms that had downloaded the vulnerable software, nor was it clear what the software was used for. Sonatype did say that the companies included more than half of the 26 financial and 19 energy companies, and more than half of all healthcare and technology companies.
In all, more than 18,000 businesses downloaded vulnerable versions of Struts, the company said.
Sonatype’s technology monitors millions of open-source commits per day, Sonatype’s chief executive Wayne Jackson told TechCrunch last year. In doing so, it can see what’s new and updated, and can advise and update vulnerable software with newer, patched versions.
The company, which already works with Fannie Mae and Tomitribe, announced Tuesday a new working relationship with Equifax to monitor the use of the credit agency’s open-source libraries across its network to help prevent another breach.
It’s a stark turnaround from its massive 2017 hack, which a House committee investigation late last year found that the Equifax breach was “entirely preventable” had the company patched its vulnerable servers months earlier when the patches — and the advisories to companies — were released.
Bryson Koehler, Equifax’s chief technology officer of just six months, said in remarks that the company is “focused on building security into each software application from the start and enhancing it throughout the development process.”
Sonatype raised $80 million in September following a $30 million round two years earlier.